EU catches up, takes steps to control export of intrusion spyware, IP monitoring

Privacy International, Reporters Without BordersDigitale GesellschaftFIDH, and Human Rights Watch welcome news that the European Commission will move ahead and add specific forms of surveillance technology to the EU control list on dual use items, thus taking steps to finally hold companies to account who sell spy equipment and enable human rights abuses.

These important steps demonstrate that policymakers are beginning to wake up to the real harm that exists in an industry that has previously acted with impunity, and allowed repressive states to commit serious abuses against pro-democracy activists, human rights defenders, political dissidents, and journalists.

Critically, by adding intrusion software and IP monitoring to the control list, this places exporters of surveillance technology such as FinFisher, Hacking Team and Amesys under more scrutiny as now they will be obligated to apply for licences for their technologies when exporting out of the EU, providing Governments with an opportunity to prevent the technology from being exported to human rights abusing regimes.

Many NGOs including, including those in the Coalition Against Unlawful Surveillance Exports (CAUSE), of which Privacy International is a member, have long campaigned on the damaging implications that surveillance technologies have on undermining fundamental human rights. This work has driven surveillance technology to be taken seriously as an issue at national, EU and international levels.

There are very real concerns about how these controls may negatively impact legitimate security research or ensare legitimate technologies. The new language doesn’t control “intrusion software” per se, but rather the software and technology used on servers to disseminate it. In other words, the controls are not aimed at the malware and rootkits that actually infect a device, but on the actual software used to create, deliver and instruct them. It is also important to remember that it is made very clear in the Wassenaar Arrangement (and by extension the EU list) that controls do not apply to technology or software in the public domain or relating to basic scientific research.

And while having these controls in place may not explicitly stop the export each time, these changes holds them more accountable to lawmakers and the public, while making the industry more transparent.

While we welcome this move to bring the EU into line with the 2013 Wassenaar updates and more into line with other international export regimes, it has come at a slow speed and more needs to be done. These updated controls have been known and publicised since December 2013 but due to bureaucratic delays in Brussels, it has taken this long for the controls to filter into the regulations of the 28 Member States, many of whom are leading exporters of surveillance technology.

Importantly, it has to be remembered that any changes made at the December 2014 Wassenaar Arrangement will not be incorporated into EU member states for possibly yet another year. The United States, a large exporter of such technology, has brought in some controls this past year but not all mentioned in the 2013 changes.

Still, this is an important step to finally hold a multi-billion dollar industry, which has a global reach, to account. We look forward to continuing to work with civil society, the research community, and policymakers to ensure that these measures ultimately protect human rights while allowing for legitimate and necessary security research to continue.

Kenneth Page, Policy Officer from Privacy International, said:

It's about time that EU Members stopped dragging their feet on surveillance exports, but simply adopting last years internationally agreed changes should not stop them from taking future initiatives"

Alexander Sander, Managing Director of Digitale Gesellschaft, said:   

We welcome the fact that EU is finally taking legal steps in this area. However, we trust these are only the first steps in the process to regulate these harmful surveillance technologies.”

Lucie Morillon, Programme Director of Reporters Without Borders, said: 

Europe is at last beginning to control surveillance technology but much remains to be done, especially knowing that two Enemies of the Internet – Gamma International and Hacking Team – were able to participate in the Technology Against Crime trade fair in France in 2013.”

Christian Mihr, Executive Director at Reporters Without Borders Germany, said:

We are relieved that, finally, the German government gave up its reluctance against regulating the export of such spyware. This is an important first step to secure human rights"

Wenzel Michalski, Director of Human Rights Watch Berlin, said:

Time and time again human rights activists and their families have been spied on, detained and even tortured - all enabled by surveillance technologies made here in the EU. The new moves by the EU are long needed steps in the right direction, but more still needs to be done."

Karim Lahidji, FIDH President, said:

FIDH welcomes this announcement by the EU Commission. Our ongoing litigation work against French surveillance companies Amesys and Qosmos for their alleged complicity in acts of torture in Libya and Syria make a strong case for the EU and its Member States to urgently strengthen their regulation on exports controls to prevent any further human violations resulting from this industry"